init: /dev can be noexec and /run nodev

/dev used to be mounted with "exec" flag due to /dev/MAKEDEV script but that's history and it's now located in /sbin. mmap() with file descriptor to "/dev/zero" (instead of modern mmap(,,,MAP_ANON...)) will still work. There's no reason to have (char/block) device nodes in /run, so let's mount it with "nodev". This does not affect sockets, fifos etc. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2026-01-26 15:39:08 +00:00 · 2019-04-13 13:25:25 +03:00 · 2019-04-13 13:25:25 +03:00 · eb98d2ea11
commit eb98d2ea11
parent cdeb263ad1
1 changed files with 2 additions and 2 deletions
--- a/4
+++ b/4
@ -33,7 +33,7 @@ export quiet

 # Note that this only becomes /dev on the real filesystem if udev's scripts
 # are used; which they will be, but it's worth pointing out
-mount -t devtmpfs -o nosuid,mode=0755 udev /dev
+mount -t devtmpfs -o noexec,nosuid,mode=0755 udev /dev
 mkdir /dev/pts
 mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts || true

@ -207,7 +207,7 @@ else
 	resume=${RESUME:-}
 fi

-mount -t tmpfs -o "noexec,nosuid,size=${RUNSIZE:-10%},mode=0755" tmpfs /run
+mount -t tmpfs -o "nodev,noexec,nosuid,size=${RUNSIZE:-10%},mode=0755" tmpfs /run
 mkdir -m 0755 /run/initramfs

 if [ -n "$log_output" ]; then